JIRA : SQOOP-1834 and its sub tickets, SQOOP-2048 and its sub tickets

Problem

Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.

...

Resource, actions and rules

Resource	Global Namespace	Instance
Connector	View Use	View Use
Link	Create View Update Delete Use Enable_Disable	View Update Delete Use Enable_Disable
Job	Create View Update Delete Enable_Disable Start_Stop Status	View Update Delete Enable_Disable Start_Stop Status

Server has three children: Connector, Link, Job.

It is a hierarchy mode. If a user has the privilege of {server, all}, then he/she has all privileges of {connector, all}, {link, all} and {job, all}.
If a user has the privilege of {job, all}, then he/she has both privileges of {job, read} and {job, write}.
If a user want to create a link, then he/she need to have the privilege of {server, create}

View

Resource	Global Namespace
Server	All Read Write
Connector	All Read
Link	All Read Write
Job	All Read Write
Resource	Action	Implicit action
Connector	View
Connector	Use	View
Link	Create	View, Update, Delete, Use, Enable_Disable
Link	View
Link	Update	View, Delete, Use, Enable_Disable
Link	Delete	View, Use, Enable_Disable
Link	Use	View, Enable_Disable
Link	Enable_Disable	View
Job	Create	View, Update, Delete, Use, Enable_Disable, Start_Stop, Status
Job	View
Job	Update	View, Delete, Enable_Disable, Start_Stop, Status
Job	Delete	View, Enable_Disable, Start_Stop, Status
Job	Enable_Disable	View
Job	Start_Stop	View, Enable_Disable, Status
Job	Status

Action	Privilege needed
show connector	connector viewread
show link	link viewread
create link	link server create (global) connector useread
update link	link updatewrite connector useread
delete link	link deletewrite
enable link	link enable_disablewrite
disable link	link enable_disablewrite
show job	job viewread
create job	job create (global) both links useread
update job	job updatewrite both links useread
delete job	job deletewrite
enable job	job enable_disablewrite
disable job	job enable_disablewrite
start job	job start_stopwrite
stop job	job start_stopwrite
show submission	job statusread

Authorization framework

...

Code Block

#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler
#org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController
#org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator

Image RemovedImage Added

Four metadata classes.
- Role
- principal
  - This class defines user or group.
  - Type: user, group, role.
  - principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
- Resource
  - This class defines four resources in Sqoop 2.
  - Type: server, connector, link, job.
- Privilege
  - Action: createall, view, update, delete, use, enable, disableread, write.
  - with_grant_option: boolean, defines whether the role could grant this privilege to other role.

...

Code Block

Override
public void createLinkPrivilige() throws SqoopAccessControlException {
    List<Privilege> privileges;
    privileges.add(new Privilege(new Resource("Link", "1"), "Create", null));
    privileges.add(new Privilege(new Resource("Connector", "1"), "UseRead", null));
    AuthorizationManager.getAuthenticationHandler.checkPrivileges(privileges);
}

...

Code Block
CREATE ROLE role_name DROP ROLE role_name SHOW ROLE

Grant/Revoke Roles

Code Block

GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ...

REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ...
principal_specification:
    USER user_name | GROUP group_name | ROLE role_name

...

Code Block
SHOW ROLE GRANT principal_specification SHOW PRINCIPAL ON ROLE role_name principal_specification: USER user_name \| GROUP group_name \| ROLE role_name

...

Restful call API is handled by org.apache.sqoop.handler.AuthorizationEngine.java in sqoop-server
- PUT POST /authorization/roles/rolecreate
  - Create new role with role_{name}
- DELETE /authorization/role/{role_-name}
- GET /authorization/roles
  - Show all roles
- GET /authorization/principals?/role/{role_name={name}
  - Show all principals in role with {role_name{name}
- GET /authorization/roles?principal_type={type}&principal_name={name}
  - Show all roles in principal with {name, type}
- PUT /authorization/roles/grant_role
  - Grant a role to a user/group/role
  - PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /authorization/roles/revoke_role
  - Revoke a role to a user/group/role
  - PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /authorization/privileges/grant_privilege
  - Grant a privilege to a principal
  - PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
- PUT /authorization/privileges/revoke_privilege
  - Revoke a privilege to a principal
  - PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
  - If privilege is null, then revoke all privileges for principal(name, type)
- GET /authorization/privileges?principal/_type={type}/&principal_name={name}?&resource_type={type}&resource_name={name}
  - Show all privileges in principal with {name, type} and resource with {resource_-name, resource_-type}
  - If resource is null, then show all privileges in principal with {name, type}

...

Child pages

Versions Compared

Old Version 25

New Version Current

Key

Problem

Resource, actions and rules

Child pages

Page History

Versions Compared

Old Version 25

New Version Current

Key

Problem

Resource, actions and rules